More than 230 million ransomware attempts were recorded globally in the first half of 2022. This figure represents a 23% drop from the previous year. However, context here is critical. 2021 was a significant outlier, representing a 1.5x jump from the previous year as organizations grappled with a sudden remote-first environment during the pandemic. We expect longer-term upward trend, shown in the chart below, to continue as attack surfaces multiply exponentially, ransomware threat actors evolve, and geopolitical conditions persist that foster and incentivize cybercriminal activity.

Source: SonicWall


There are several possible reasons for this year’s decline in attacks from record levels in 2021. These include more stringent requirements from cybersecurity insurance underwriters and the hardening of companies’ defense postures in response to successful – at least initially – high-profile attacks, such as that on Colonial Pipeline. But some in the government, like NSA Director of Cybersecurity, Rob Joyce, point instead to specific geopolitical factors. He believes that the Russians have shifted their focus to Ukraine and scaled back their ransomware efforts, and that U.S. sanctions on Russia over Ukraine have made it harder for Russian cybercriminals to operate. It’s worth noting in this context that blockchain data platform, Chainalysis, estimated that nearly three quarters of the $400+ million in ransom paid last year went to groups likely to be affiliated with Russia. 1

Beyond sheer volume, ransomware attacks are growing in sophistication and severity. Recent trends in ransomware include:

Multi-extortion: In traditional ransomware schemes, cybercriminals break into victims’ file storage, encrypt the files, and demand payments to decrypt them. Applying multi-extortion techniques, attackers not only encrypt the files of an organization but also threaten to name / shame the victims by publicizing the attacks and releasing data, as well as launch additional attacks against the victims through distributed denial of service and other means.

Ransomware as a Service (RaaS): An increasing number of organizations are employing an RaaS model, providing cybercriminals with “start-up kits” and “support services” to help them get into and operate a ransomware business. The ready availability of such tools lowers the technical barriers to entry and accelerates the speed with which attacks can be launched and spread. This evolution also underscores the organized crime aspect of the ransomware “business,” as well as the impunity with which those involved operate. In 2022 many of the top ransomware variants could be associated with, or leased from, well known ransomware gangs. The tables below from cyber insurance company, Coalition, show the top ransomware variants measured by the percentage of insurance claims reported and the average ransom demand from each. Coalition also reported that phishing was the most common attack vector for ransomware in 2022, accounting for nearly two thirds of all claims.


Vulnerabilities: Ransomware attackers are leveraging a wider variety of vulnerabilities to gain access to organizations’ data. The timeframe from vulnerability to exploitation is also getting shorter.

Recent surveys suggest that ransomware prices are going up, possibly due to attackers focusing their attention on larger, more well-heeled clients, as well as having better intelligence on the victim’s ability to pay. According to a 2022 survey by cybersecurity firm Sophos, 2021 marked an almost threefold increase in the proportion of ransomware victims paying ransoms of $1 million or more, and a nearly 5X rise in the average ransom payment, which now stands at over $800,000.2 The same survey revealed that while over 99% of ransomware victims got some encrypted data restored, only 4% of those that paid the ransom got all their data restored.

While the number of ransomware attacks may have dropped relative to 2021, ransomware threat actors took full advantage of the chaos surrounding the pandemic and the explosion in digitization that has ensued to expand their operations. On a five-year trend line, ransomware threat levels remain increasingly high, which, combined with the increased sophistication in ransomware attack techniques, portends a heightened threat to organizations across the globe. As the ransomware threat actors and tactics evolve, organizations of all sizes should prepare for a continually fraught cyber threat landscape.


1 “The 2022 Crypto Crime Report,” Chainalysis, February 2022

2 “The State of Ransomware 2022,” Sophos, April 2022